Skip to main content
Jump to: navigation, search

Difference between revisions of "Eclipse and log4j2 vulnerability (CVE-2021-44228)"

Line 14: Line 14:
 
|Not Vulnerable / Vulnerable
 
|Not Vulnerable / Vulnerable
 
|All packages available from [https://www.eclipse.org/downloads/packages/ Eclipse Downloads] are not vulnerable, except for the Eclipse IDE for RCP and RAP Developers which contain Passage.  Even for packages containing Passage, the risk of exposure due to the tooling support in an IDE is negligible.
 
|All packages available from [https://www.eclipse.org/downloads/packages/ Eclipse Downloads] are not vulnerable, except for the Eclipse IDE for RCP and RAP Developers which contain Passage.  Even for packages containing Passage, the risk of exposure due to the tooling support in an IDE is negligible.
 +
|-
 +
|Eclipse Installer
 +
|*.*.*
 +
|Not Vulnerable
 +
|Does not use log4j. The catalogs used by the installer for installing the Eclipse Packaging Project's products are dynamically loaded and have been updated so that installing and version of the the Eclipse IDE for RCP and RAP Developers will install Passage 2.2.1 with the repaired version of log4j2, i.e., >= 2.15.
 
|-
 
|-
 
|Eclipse SDK
 
|Eclipse SDK

Revision as of 01:32, 14 December 2021

Project Version Status Comment
Passage <= 2.2.0 Vulnerable The risk of exposure due to the tooling support in an IDE is negligible. Tools can be updated to the 2.2.1 release and runtimes should be upgraded to the 2.2.1 release. Older versions of Passage also work with log4j >= 2.15. See Passage Downloads for site details.
Eclipse Packaging Project (Eclipse IDE for ...) *.*.* Not Vulnerable / Vulnerable All packages available from Eclipse Downloads are not vulnerable, except for the Eclipse IDE for RCP and RAP Developers which contain Passage. Even for packages containing Passage, the risk of exposure due to the tooling support in an IDE is negligible.
Eclipse Installer *.*.* Not Vulnerable Does not use log4j. The catalogs used by the installer for installing the Eclipse Packaging Project's products are dynamically loaded and have been updated so that installing and version of the the Eclipse IDE for RCP and RAP Developers will install Passage 2.2.1 with the repaired version of log4j2, i.e., >= 2.15.
Eclipse SDK *.*.* Not Vulnerable Eclipse SDK does not use log4j
JGit 1.0-5.13.0,6.0.0 Not Vulnerable org.eclipse.jgit.pgm uses log4j 1.2.15
EGit 1.0-5.13.0,6.0.0 Not Vulnerable EGit does not use log4j
Jetty *.*.* Not Vulnerable Blog: Jetty & Log4j2 exploit CVE-2021-44228
StatET *.*.* Not Vulnerable
Web Tools Platform *.*.* Not Vulnerable log4j 1.2.15 is used in an unused dependency in a single test plug-in
Scout Runtime 10.x - 22.x Not Vulnerable
Eclipse Hawk *.*.* Not Vulnerable
Eclipse Theia *.*.* Not Vulnerable
Eclipse Dash *.*.* Not Vulnerable
Linux Tools *.*.* Not Vulnerable
Eclipse JKube *.*.* Not Vulnerable Eclipse JKube does not use log4j
Eclipse Modeling Framework (EMF) *.*.* Not Vulnerable Uses log4j 1.x, but only in Xcore tools bundles, not in any runtime bundles deployed in applications.
XML Schema Definition (XSD) *.*.* Not Vulnerable Does not use log4j.
JustJ *.*.* Not Vulnerable Does not use log4j and log4j is not included in the JRE themselves.
Oomph *.*.* Not Vulnerable Does not use log4j.

Back to the top